CVE-2023-32063: 
PHP vulnerability analysis and mitigation

OroCalendarBundle enables a Calendar feature and related functionality in Oro applications. The vulnerability (CVE-2023-32063) allows back-office users to access information from any call event by bypassing ACL security restrictions due to insufficient security checks. This issue was discovered in versions 4.2.0 through 4.2.5, 5.0.0 through 5.0.3, and 5.1.0 through 5.1.1, and has been patched in versions 5.0.4 and 5.1.1 (Vendor Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.0 (Medium), with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N. This indicates that the vulnerability can be exploited over the network (AV:N), requires low attack complexity (AC:L), needs low privileges (PR:L), requires no user interaction (UI:N), changes scope (S:C), and has low impact on confidentiality (C:L) with no impact on integrity (I:N) or availability (A:N) (NVD).

The vulnerability allows unauthorized access to call event information, potentially exposing sensitive data to users who should not have access based on ACL security restrictions (Vendor Advisory).

The vulnerability has been patched in versions 5.0.4 and 5.1.1. Users are recommended to upgrade to these patched versions to address the security issue (Vendor Advisory).